Microsofts About-Face: Security Now Job One

A Bill Gates e-mail to Microsoft employees outlines his vision to make security the company's highest priority, taking precedence over even functionality.

As the launch of Microsoft Corp.s critical .Net Framework draws closer, Bill Gates is launching an all-out effort to repair his companys reputation for poor security and reliability.
Gates, chairman and chief software architect of Microsoft in Redmond, Wash., has developed a broad-based plan to combat present and future security and reliability problems in all Microsoft products. Gates last week sent an e-mail to all Microsoft employees outlining his vision for Trustworthy Computing, a design, development and implementation philosophy that he hopes will restore some of the confidence that the companys persistent security problems have eroded in recent years.
The heart of the plan involves a dramatic about-face for Microsoft, with Gates calling for security to be the companys highest priority, taking precedence over even functionality, which long has been the No. 1 concern for Microsoft software designers.

"In the past, weve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," Gates wrote in the message, a copy of which was obtained by eWEEK. "Weve done a terrific job at that, but all those great features wont matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

In his memo, Gates praises his companys work on the .Net Framework but said that it will all be for naught if security, privacy and reliability continue to pose problems for the platform. "Over the last year it has become clear that ensuring .Net is a platform for Trustworthy Computing is more important than any other part of our work," he wrote. "If we dont do this, people simply wont be willingor ableto take advantage of all the other great work we do."
Gates memo comes on the heels of two embarrassing security and reliability gaffes for the company. For five days earlier this week Windows customers were unable to download a critical security patch for a vulnerability in Internet Explorer when a DNS error made the server with the patch unreachable. And, on Wednesday, the Microsoft Developer Network servers became overloaded when millions of developers simultaneously tried to download the final code for the .Net Framework.
The apparent shift in priorities to security has softened even some of Microsofts harshest critics.

"As a longtime Microsoft skeptic, its hard to take any press announcement from them seriously. But this one comes from Gates himself," said Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., in Cupertino, Calif., and a vocal critic of Microsofts security practices. "I congratulate Bill Gates on his willingness to move the company in this manner. If he can actually implement these sorts of changes within Microsoft, it will represent a sea change for the company. To have Microsoft as a company focusing on security will make the Internet a safer place."